Cyber breaches: are you prepared?€¦ · data breach involving personal or corporate information...
Transcript of Cyber breaches: are you prepared?€¦ · data breach involving personal or corporate information...
Presented by
Michael Gapes, Partner
Cyber breaches: are you prepared?
www.carternewell.com © Carter Newell 2016– 2 –
www.carternewell.com © Carter Newell 2016– 3 –
Overview
What is cyber crime?
What are the risks and impacts to your
business if you are a target?
What are your responsibilities do you
have to protect a patient’s personal and
health information?
How can you protect your organisation from
a cyber breach?
What are the insurance solutions available to transfer
the risk?
www.carternewell.com © Carter Newell 2016– 4 –
So what is cyber crime?
When an individual’s or an organisation’s electronic data is subject
to loss or unauthorised access, use, disclosure, copying or
modification.
There are different types of cyber crime including:
Unauthorised access or hacking;
Malware; and
Denial of service attacks.
These types of attacks are criminal offences under the Criminal
Code Act 1995 (Cth), as well as state and territory laws.
Cyber breaches can also arise due to employee negligence or
poorly managed data sharing and monitoring practices.
Can also arise due to malicious acts of employees and former
employees.
www.carternewell.com © Carter Newell 2016– 5 –
The causes of cyber breaches
Malicious or criminal attacks are the primary causes of cyber
breaches
46%
27%
27% Malicious or criminal attack
System glitch
Human error
www.carternewell.com © Carter Newell 2016– 6 –
Some statistics for you…
Cybercrime costs the Australian economy over $2 billion annually.
5.4 million Australians were victims of cyber crime in 2012.
693,000 businesses experienced a cyber crime in 2014.
Recent studies have revealed that up to 70% of all targeted companies are
small businesses.
The average cost to a business who has been subjected to a cyber breach was
$2.64 million.
Post-cyber breach costs on average were $640,000 in 2016 (includes
remediation activities, legal costs, regulatory interventions etc.).
Cyber breaches cost companies an average $142 per record compromised in
2016.
60% of companies will go out of business within one year of a cyber breach.
85% of customers who had their personal data compromised will not deal with
the offending organisation again.
Source: Ponemon Institute Research Report
www.carternewell.com © Carter Newell 2016– 7 –
Some statistics from the
healthcare industry…
There has been a 600% (yes, 600%) increase in cyber attacks on
healthcare organisations since 2014.
The healthcare industry has 4 times the number of security
breaches than other industries.
The industry is 3 times more likely to encounter data theft.
Patient information is 10 times more valuable than other data on the
black market.
www.carternewell.com © Carter Newell 2016– 8 –
Some household names here
Woolworths
iiNet
Aussietravel cover
UQ
David Jones
K-Mart
Aussie Farmers
Patagonia Clothing Company
QLD Tafe
Bureau of Meteorology
The Federal Department of
Employment
West Australian Parliament
www.carternewell.com © Carter Newell 2016– 9 –
Some industry specific
examples
Miami Family Medical Centre
A ransomware attack.
Russian hackers demanded a ransom of $4000 to decrypt information
on the practice’s server.
www.carternewell.com © Carter Newell 2016– 10 –
Some industry specific
examples (cont’d)
Royal Melbourne Hospital (2015)
A virus attack affected the hospital’s Windows XP operating system.
Subsequently discovered that it has some serious security faults which
have allowed hackers to take control of the system remotely.
The virus impacted the Pathology and Radiology Departments.
It was reported that the hospital was forced to send its major trauma
patients to other hospitals.
Luxottica Retail Australia (2015)
Test results and contact details of hundreds of Australian Defence
personnel inadvertently sent to China.
www.carternewell.com © Carter Newell 2016– 11 –
So what are the impacts to your
business?
Business interruption
Damage to network and system
Investigation and compliance costs
Loss of revenue
Loss of clients (liability to 3rd parties less easy to predict)
Reputational and brand damage
Regulatory investigations
Fines and penalties
Civil claims
www.carternewell.com © Carter Newell 2016– 12 –
What are your responsibilities
regarding personal and health
information?
The Privacy Act 1998 (Cth) regulates the handling of personal information
(including health information) about individuals.
The Act applies to all private sector health service providers.
(state and territory public hospitals and health services are not covered under the Act, but may
be covered by state or territory legislation).
‘Personal information’ is information or an opinion about an identified
individual, or an individual who is reasonably identifiable.
‘Health information’ is information about an individual’s health or disability,
as well as any other personal information collected while an individual is
receiving a health service.
www.carternewell.com © Carter Newell 2016– 13 –
The Privacy Act 1998 (Cth)
In March 2014, a unified set of Australian Privacy Principles (APPs)
that apply to all Commonwealth Government agencies and all
businesses with annual turnovers >$3 million.
There are 13 APPs which cover everything from the use and
collection of personal information, to data security, data quality and
access rights.
APP 11 – Security of Personal Information:
An APP entity that holds personal information must take reasonable steps to
protect the information from misuse, interference and loss, as well as
unauthorised access, modification or disclosure.
An APP entity must take reasonable steps to destroy or de-identify the personal
information it holds once the personal information is no longer needed for any
purpose for which the personal information may be used or disclosed under the
APPs.
Reasonable steps – consider the nature and amount of personal information
held.
www.carternewell.com © Carter Newell 2016– 14 –
Breaches of the APPs
A breach of an APP will be an ‘interference with privacy’ under the
Act.
The Australian Information Commissioner has the power to
investigate possible interferences with privacy, either following a
complaint by an individual or on his own initiative.
The Commissioner has a wide range of enforcement powers,
including enforceable undertakings, determinations and can seek
civil penalties of up to $340,000 against individuals and up to $1.7
million against corporations.
See www.oaic.gov.au
www.carternewell.com © Carter Newell 2016– 15 –
Future developments?
Mandatory notification of security
breaches for organisations with
turnovers > $3 million:
Notifying the Australian Information
Commission of ‘serious data
breaches’;
Notifying affected individuals.
A new tort of privacy.
www.carternewell.com © Carter Newell 2016– 16 –
How can you protect your organisation
from a cyber breach?
Manage the risk: Understand the nature of the data you hold,
assess whether it is accessible by third parties and identify the risks
that this data faces from a cyber attack.
Have an IT Response Plan: see the OAIC website for an example.
www.oaic.govt.au
Have a Crisis Management Response Plan: to assist you in
dealing with clients, regulators, the media and third parties.
If you are attacked, report it to the Police and ACORN.
www.acorn.gov.au
www.carternewell.com © Carter Newell 2016– 17 –
How can you protect your organisation
from a cyber breach? (cont’d)
www.cert.gov.au
Implement effective risk management strategies, procedures and
protocols to protect the data, including:
Keep your software up-to-date;
Install reputable security software, which includes a firewall, anti-virus and anti-
spyware applications;
Develop a backup strategy for your data;
Change all default passwords across all operating systems;
Create non-administrator level accounts;
Adopt safe online practices, including have an Acceptable Use Policy;
Secure any remote access services and implement a BYOD policy;
Protect critical information by using encryption;
Obtain data breach and cyber liability insurance.
Train your staff in these strategies, procedures and protocols
www.carternewell.com © Carter Newell 2016– 18 –
Data breach and cyber liability
insurance
Many traditional liability insurance policies such as Management
Liability or Professional Indemnity policies won’t cover many of the
data breaches and cyber crime risks faced by day hospitals.
For instance, these policies won’t cover losses arising out of:
So a standalone data breach and cyber liability policy is the best
way to combat these risks and potential liabilities.
Your IT network being hacked and you are locked out
of your network
Your patient data has been stolen, leaked or held to
ransom
You are being investigated by
the OAIC
www.carternewell.com © Carter Newell 2016– 19 –
What is a data breach and cyber
liability policy and what does it cover?
A good policy will cover a range of potential exposures, including:
Personal and corporate data liability Will pay damages and defence costs for a
data breach involving personal or corporate
information
Outsourcing exposures Will pay damages and defence costs for a data
breach arising out of the outsourcing of the
collection, storage or processing of any data.
Data security liability Will pay damages in the event of physical theft of
hardware, data, contamination, denial of access
or corruption of data.
Forensic services Will meet costs of IT experts retained to
remediate any damage due to breach.
www.carternewell.com © Carter Newell 2016– 20 –
What is a data breach and cyber liability
policy and what does it cover? (cont’d)
Defence costs Will pay costs incurred in defending any civil claims or costs
involved in responding to any official investigations (for examples,
by the OAIC).
Fines and penalties Will pay any insurable fines and penalties imposed by a government or
regulatory authority.
Notification and
monitoring costs
If affected individuals need to be notified or monitoring put in place for
mitigation purposes.
Reputation repair Will meet costs of a PR company being engaged to mitigate damage
sustained to company or individual.
Cyber extortion Will pay any cyber extortion loss (for example, a ransom) to end a security
threat (subject to local laws etc).
Media content Will pay damages in the event of a breach of copyright, IP, plagiarism,
piracy, invasion of privacy etc.
Network interruption Will pay income losses suffered as a result of a security failure or breach.
www.carternewell.com © Carter Newell 2016– 21 –
What is a data breach and cyber liability
policy and what does it cover? (cont’d)
It is highly recommended that all healthcare sector participants obtains appropriate data breach and cyber liability insurance .
The cost of these policies is extremely modest.
A good data breach and cyber liability policy will offer a wide range of cover, with appropriate limits of indemnity.
www.carternewell.com © Carter Newell 2016– 22 –
Questions and Resources
Useful resources:
www.oaic.gov.au
www.acorn.gov.au
www.cert.gov.au
Brisbane
Level 13, 215 Adelaide Street
Brisbane QLD Australia 4000
GPO Box 2232
Brisbane QLD 4001
Phone +61 7 3000 8300
Email [email protected]
Sydney
Level 6, 60 Pitt Street
Sydney NSW Australia 2000
Phone +61 2 8315 2700
Melbourne
280 Queen Street
Melbourne VIC Australia 3000
(Via Agency)
www.carternewell.com